I want to get values of a id specified row in my "Service Fees" table. When I try to execute following code an exception, which says "An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code.Additional information: Incorrect syntax near 'a34'."
Is it about Dataset object?
PS: The id is; ee83089d-4a34-46e0-be6c-b8b506f31a8e
if (Request.QueryString["MyId"] != null)
{
isUpdate = true;
var id = Request.QueryString["MyId"].ToString();
SqlCommand cmd2 = new SqlCommand("SELECT * FROM ServiceFees WHERE Id=" + id, connection);
SqlDataAdapter adapter2 = new SqlDataAdapter(cmd2);
DataSet ds = new DataSet();
adapter2.Fill(ds);
sf1.name = ds.Tables[0].Rows[0][1].ToString();
}
Enclose your id in single quote, it should look like :
SqlCommand cmd2 = new SqlCommand("SELECT * FROM ServiceFees WHERE Id='" + id +"'", connection);
Id is GUID and it should be enclosed within single quotes.
SqlCommand cmd2 = new SqlCommand("SELECT * FROM ServiceFees WHERE Id= #id", connection);
cmd2.Parameters.Add(new SqlParameter("id",id));
to avoid sql injection.
Beware of SQL Injection
Dont pass parameters in single quotes,Double quotes
Always use SqlParameter Class
As your Parameter is String You need to Pass it As string DataType
string Id="ee83089d-4a34-46e0-be6c-b8b506f31a8e";
SqlParameter para1=new SqlParameter("#Id",SqlDbType.Varchar,500);
para1.Value=Id;
SqlCommand cmd2 = new SqlCommand("SELECT * FROM ServiceFees WHERE Id=#Id" , connection);
cmd2.Parameters.Add(para1);
SqlDataAdapter adapter2 = new SqlDataAdapter(cmd2);
You're passing the id unquoted to SQL.
As a result it's probably trying to calculate the result of ee83089d-4a34-46e0-be6c-b8b506f31a8e.
You probably want:
SqlCommand cmd2 = new SqlCommand("SELECT * FROM ServiceFees WHERE Id='" +
id + "'", connection);
Or some other SQL call which isn't vulnerable to injection attacks.
Related
I am trying to update my data in a SQL Server database through C#. I am getting updated. But the problem is the data is updated twice.
For example I have 10 (int) in my balance and if I add another 10, it turns to 30.
Any help would be appreciated.
Here is my code:
protected void LoginClick(object sender, EventArgs e)
{
DataTable dr = new DataTable();
string email = txtEmail.Text;
SqlConnection con = new SqlConnection(Ws.Con);
con.Open();
int s = Convert.ToInt32(add.Text);
SqlCommand cmd = new SqlCommand("Update [Order] set Balance=Balance+'" + s + "',Card='" + card.Text + "' where email=#email ", con);
cmd.Parameters.AddWithValue("email", email);
SqlDataAdapter sda = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
sda.Fill(dt);
int i = cmd.ExecuteNonQuery();
con.Close();
}
I would like to rectify few mistakes in your code,
DataTable is not needed to execute the update query, ExecuteNonQuery will do the job
The adapter.Fill and ExecuteNonQuery do the same job here and that's why your updates happening twice
Make use of parameterization while dealing with user inputs to avoid exceptions
For parsing integers use int.TryParse instead for Convert.ToInt32
I think the following code would help you to do the same function in a smarter way:
int currentBalance = 0;
if(int.TryParse(txtAdd.Text, out currentBalance))
{
string querSql = "Update [Order] set Balance = Balance + #balance," +
" Card = #card where email = #email"
using (SqlConnection dbConn = new SqlConnection("connectionString here"))
{
dbConn.Open();
using (SqlCommand sqlCommand = new SqlCommand(querySql, dbConn))
{
sqlCommand.Parameters.Add("#balance", SqlDbType.int).value = currentBalance;
sqlCommand.Parameters.Add("#card", SqlDbType.VarChar).value = card.Text;
sqlCommand.Parameters.Add("#email", SqlDbType.VarChar).value = email;
sqlCommand.ExecuteNonQuery();
}
}
}
Please note: YOu are parsing the balance as an integer value, so I assume the column Balance is an integer field in the database, if not make use of corresponding datatype for the parameter #balance also update the parsing technique
As per the documentation:
SqlDataAdapter(SqlCommand)
Initializes a new instance of the SqlDataAdapter class with the specified SqlCommand as the SelectCommand property.
What is going wrong in your code?
Actually you are passing SqlDataAdapter your update query as the Select command. So now when you will use this instance of SqlDataAdapter to Fill your datatable then actually you are executing your Update command. Look at the following code along with comments to see what is going wrong:
DataTable dr = new DataTable();
string email = txtEmail.Text;
SqlConnection con = new SqlConnection(Ws.Con);
con.Open();
int s = Convert.ToInt32(add.Text);
SqlCommand cmd = new SqlCommand("Update [Order] set Balance=Balance+'" + s + "',Card='" + card.Text + "' where email=#email ", con);
cmd.Parameters.AddWithValue("email", email);
SqlDataAdapter sda = new SqlDataAdapter(cmd);//The Select command for SqlDataAdapter
//is actually now the update command specified by cmd instnace of SqlCommand
DataTable dt = new DataTable();
sda.Fill(dt);//here SqlDataAdapter will execute it's Select command which is actually set
//to an update statement so your record will be updated
int i = cmd.ExecuteNonQuery();//and here again the update command is being executed now
//directly using the SqlCommand cmd instance and thus your record gets updated twice
con.Close();
Fixed Code:
DataTable dr = new DataTable();
string email = txtEmail.Text;
SqlConnection con = new SqlConnection(Ws.Con);
con.Open();
int s = Convert.ToInt32(add.Text);
SqlCommand cmd = new SqlCommand("Update [Order] set Balance=Balance+'" + s + "',Card='" + card.Text + "' where email=#email ", con);
cmd.Parameters.AddWithValue("email", email);
//Create a new SqlComamnd
SqlCommand selectCommand = new SqlCommand("Select * from [Order]");
//Put the newly created instance as SelectCommand for your SqlDataAdapter
SqlDataAdapter sda = new SqlDataAdapter(selectCommand);
DataTable dt = new DataTable();
sda.Fill(dt);
int i = cmd.ExecuteNonQuery();
con.Close();
Hope this help and do have a look at the documentation for better understanding of the SqlDataAdapter and DataTable. Thanks.
I am trying to add a where clause to the following line of code.
the reason for this is because i get the datatable from a dropdown combobox. now i want to filter that table on user name, so that only the user can see their records.
i need help on how to write the where clause into this code.
if you need any more information i will gladding add it.
thank you for any help.
OleDbCommand cmd = new OleDbCommand(String.Concat("Select * From ", comboBox1.Text), con);
After Comments
i added the sql injection protection.
OleDbCommand cmd = new OleDbCommand(String.Concat("Select * From
#Companydetails where Research_ID = #Researcher_ID"), con);
cmd.Parameters.AddWithValue("#Companydetails", comboBox1.Text);
cmd.Parameters.AddWithValue("#Researcher_ID", usernumber_lab.Text);
but now it is giving me a error saying:
Additional information: Syntax error in query. Incomplete query clause.
is there something else i need to add to finnish this query off?
I would do it as follows;
string query = "Select * from MyTable Where username = #username";
using (OleDbCommand cmd = new OleDbCommand(query, con))
{
cmd.Parameters.Add("#username", OleDbType.VarChar).Value = comboBox1.Text;
}
This way the object will dispose automatically and also you'll be safe from Sql Injection
Please try this
string sql = String.format("Select * From {0} where id = {1}", comboBox1.Text, id);
OleDbCommand cmd = new OleDbCommand(sql,con);
You can just make your sql statement longer:
OleDbCommand cmd = new OleDbCommand(String.Concat("Select * From table Where something = something", comboBox1.Text), con);
You don't have to work with multiline or anything. This is only needed in some database managers, but not in a c# sql statement.
If you would like
OleDbCommand cmd = new OleDbCommand(String.Format("Select * From {0} WHERE username='{1}'", comboBox1.Text,username.Text), con);
You can try the below code
OleDbCommand cmd = new OleDbCommand(string.Format(
"SELECT * FROM {0} WHERE Username = '{1}'",
comboBox1.Text, userName), con);
Hello I have got this code :
SqlCommand sc2 = new SqlCommand("SELECT ... WHERE akce=" + zakce.Text, spojeni);
spojeni.Open();
object vysledek2 = sc2.ExecuteScalar(); // This is the exception line
I'm receving following Exception:
System.Data.SqlClient.SqlException (0x80131904)Conversion failed when
converting the varchar value '137000-01' to data type int.
On the exception line when I set the breakpoint on vysledek2 is null and then the exception occurs.
Never. Ever. Concatenate. Input.
SqlCommand sc2 = new SqlCommand("SELECT SUM(ISNULL(payments,0)) AS sumpaymentsFROM clientpayments WHERE akce=#acke", spojeni);
sc2.Parameters.AddWithValue("acke", zakce.Text);
Also - commands, connections, etc are all IDisposable - you should use using around each of them.
const string sqlSelect = #"SELECT ... WHERE akce=#akce";
using (spojeni = new SqlConnection(connectionString))
using(var command = new SqlCommand(sqlSelect,spojeni))
{
command.Parameters.AddWithValue("#akce", zakce.Text);
command.Connection.Open();
object vysledek2 = command.ExecuteScalar();
}
Firstly, try changing
SqlCommand sc2 = new SqlCommand("SELECT SUM(ISNULL(payments,0)) AS sumpaymentsFROM clientpayments WHERE akce=" + zakce.Text, spojeni);
to something like
SqlCommand sc2 = new SqlCommand("SELECT SUM(ISNULL(payments,0)) AS sumpaymentsFROM clientpayments WHERE akce='" + zakce.Text + "'", spojeni);
Secondly, have a look at what SQL Injection is and how to use parametereized queries.
I want to return a particular record from the webservice. Still what i have successfully done is, got all the records by the following code:
SqlConnection con;
SqlDataAdapter adap;
DataSet ds;
[WebMethod]
public DataSet Getmember()
{
con = new SqlConnection(#"Data Source=SQLDOTNET\MSSQLSERVER2008;Initial Catalog=doctor;Persist Security Info=True;User ID=sa;pwd=test123#;");
adap = new SqlDataAdapter("select * from tblusers", con);
ds = new DataSet();
adap.Fill(ds, "tblusers");
return ds;
}
Now i want to get a particular record by Emailid for that i have tried the following code:
SqlConnection con;
SqlDataAdapter adap;
DataSet ds;
[WebMethod]
public DataSet Getmember(String Emailid)
{
Emailid = "test#test.com";
con = new SqlConnection(#"Data Source=SQLDOTNET\MSSQLSERVER2008;Initial Catalog=doctor;Persist Security Info=True;User ID=sa;pwd=test123#;");
adap = new SqlDataAdapter("select * from tblusers where EmailAddress=" + Emailid, con);
ds = new DataSet();
adap.Fill(ds, "tblusers");
return ds;
}
But this code throwing the following error:
System.Data.SqlClient.SqlException: Invalid column name 'test#test.com'.
Please help me..
You need to enclose string literals in single quotes in SQL:
"select * from tblusers where EmailAddress = '" + Emailid + "'"
But this leaves you open to SQL injection attacks and is not recommended. (Examine what would happen if Emailid were set to "' OR 1=1 OR ''='".)
You should specify Emailid as a parameter value instead:
var cmd = new SqlCommand("select * from tblusers where EmailAddress = ?");
cmd.Parameters.Add(Emailid);
adap = new SqlDataAdapter(cmd, con);
change the
Emailid = "test#test.com";
to
Emailid = "'test#test.com'";
Note the extra single quotes arount emailid
Dont know if this would help cause I havent use C # for some time
I think your error goes on this part
select * from tblusers where EmailAddress=" + Emailid
Try changing it to
"select * from tblusers where EmailAddress='" + Emailid + "'"
At first you should use SQL parameters... not the plain SQL queries so better check SQL Parameters
adap = new SqlDataAdapter("select * from tblusers where EmailAddress=" + Emailid, con);
should be changed to
adap = new SqlDataAdapter("select * from tblusers where EmailAddress='" + Emailid + "'", con);
You miss to have "'" in you query .. Better you look at the statement syntax...
I have two columns syntax and query in my table Table1. Syntax contains data called po and a query called select * from po_pomas_pur_order_hdr where pomas_pono =. I got this query value by using
SqlDataAdapter da = new SqlDataAdapter("select query from Table1 where syntax = '" + textBox1.Text + "'", conn);
And my problem is that I need to dynamically pass another value inside the query which I retrived using dataadapter like this:
SqlDataAdapter da1 = new SqlDataAdapter(da.tostring() +"'"+ textBox1.Text +"'", conn)
The resulting query should be like this:
select * from po_pomas_pur_order_hdr where pomas_pono = '2PO/000002/09-10'
But it is not possible. How to get a query like this? Any suggestion?
SqlDataAdapter is used to fill datasets and datatables. You cannot obtain the result of a query with ToString(). I think you want to use SqlCommand to execute your first query to retrieve the actual query to run from the database like this:
string query = null;
using (var command = new SqlCommand("select query from Table1 where syntax = #Syntax", conn))
{
command.Parameters.AddWithValue("#Syntax", textBox1.Text);
query = command.ExecuteScalar(); // this assumes only one query result is returned
}
Then you can use the data adapter to fill it:
SqlDataAdapter da1 = new SqlDataAdapter(query +"'"+ textBox1.Text +"'", conn);
Although I would suggest to use parameters for that as well.
in this way is more safe: dotnetperls
He check the "'" and the "\", check the type of the fields etc...
Code from the example above (is the same for insert delete and update):
using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE #Name", connection))
{
//
// Add new SqlParameter to the command.
//
command.Parameters.Add(new SqlParameter("Name", dogName));
//
// Read in the SELECT results.
//
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
int weight = reader.GetInt32(0);
string name = reader.GetString(1);
string breed = reader.GetString(2);
Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight, name, breed);
}
}
I suggest you to use SqlParameters. Here is example how to use DataAdapter and parameters.
Provided that you have a DataSet you intend to fill using the adapter and that you adjust the queries to use parameters in order to avoid sql injection you should be able to use something like this:
string query;
using(var sqlCommand = new SqlCommand(
"select query from Table1 where syntax=#syntax", conn))
{
sqlCommand.Parameters.AddWithValue("syntax", textBox1.Text);
query = (string)sqlCommand.ExecuteScalar();
}
using(var dataAdapter = new SqlDataAdapter())
using(var dataCommand = new SqlCommand(query, conn))
{
dataCommand.Parameters.AddWithValue("parameter", poNumber);
dataAdapter.SelectCommand = dataCommand;
dataAdapter.Fill(myDataSet);
}